WHAT “GRC” ACTUALLY IS??

GRC is a system of people, processes and technology that enables an organization to:

• understand and prioritize stakeholder expectations;
• set business objectives congruent with values and risks;
• achieve objectives while optimizing risk profile and protecting value;
• operate within legal, contractual, internal, social and ethical boundaries;
• provide relevant, reliable and timely information to appropriate stakeholders; and
• enable the measurement of the performance and effectiveness of the system.

A “GRC activity,” then, is any process or activity that contributes to or is part of the system. Processes and functions that are typically included include:

• Governance
• Strategy and Business Performance Management
• Risk Management
• Compliance
• Internal Control
• Corporate Security
• Legal
• Information Technology
• Business Ethics
• Sustainability and Corporate Social Responsibility
• Quality Management
• Human Capital and Culture
• Audit and Assurance
• Finance

Each contributes to an organization’s ability to drive Principled Performance, and all can benefit from improved communication, shared strategy, common processes, coordinated schedules and integrated technology.
Processes under the areas of governance, risk management and compliance are particularly critical to system success, so a deeper look at their definitions is helpful:

• Governance is the culture, values, mission, structure and layers of policies, processes and measures by which organizations are directed and controlled. Governance, in this context, includes but is not limited to the activities of the Board, for governance bodies at various levels throughout the organization also play a critical role. The tone that is set, followed and communicated at the top is critical to success.
• Risk, in this context, is the measure of the likelihood of something happening that will have an effect on achieving objectives; most importantly, but not exclusively, an adverse effect. Thus, Risk Management is the systematic application of processes and structures that enable an organization to identify, evaluate, analyze, optimize, monitor, improve, or transfer risk while communicating risk and risk decisions to stakeholders. The overriding goal of risk management is to realize potential opportunities while managing adverse effects of risk.
• Compliance is the act of adhering to, and the ability to demonstrate adherence to, mandated requirements defined by laws and regulations, as well as voluntary requirements resulting from contractual obligations and internal policies.

There is some overlap among these functions, but they have distinct areas of focus and each has activities dispersed throughout an organization.